Debian Project Leader Andreas Tille has addressed the ongoing debate over age-verification laws and their potential impact on free software operating systems. Long story short: he clarified that Debian has not adopted a position and is awaiting legal analysis.
In his latest “Bits from the DPL” message, Tille stated that the main question is whether operating systems and package distribution mechanisms might be required to provide age-related information to applications.
He noted that Debian and other projects are discussing the issue, and that Software in the Public Interest, a non-profit corporation founded to act as a fiscal sponsor for organizations that develop open-source software and hardware, has begun seeking legal guidance.
He also noted that, from a non-lawyer perspective, it remains uncertain how these regulations would apply to a non-commercial, volunteer-driven project like Debian, which does not sell software and distributes it in a decentralized manner.
FUCKING THANK YOU.
My coffee maker has an operating system… Okay well actually i use an electric kettle but some of them do.
This law is impossible
Right now the only Debian system I have is on Oldstable. If Debian decides to implement age verification/attestation, do you think it’s going to be backported to that version? 🤔
You could just rip out the age verification bits, you have root access, it shouldnt be that hard. If it ever happens
Imagine having to verify your age for every docker container spun up by GitHub/forgejo actions.
Only restricted material will require an age verification.
This is what the DPL actually wrote on the subject:
Recent discussions have started around new age verification legislation that may affect free software operating systems. In particular, the California Digital Age Assurance Act (AB 1043), expected to take effect in 2027, raises questions about whether operating systems and package distribution mechanisms could be required to provide age-related information to applications. In parallel, a recently adopted law in Brazil appears to introduce similar requirements and is already in force, with initial interpretations suggesting it could apply to components such as package management tools. These developments are currently under discussion within Debian and other projects, and SPI has initiated efforts to obtain legal guidance. At this stage, the situation remains unclear, and further analysis is ongoing.
From a non-lawyer perspective, it is not yet clear how such regulations apply to a non-commercial, volunteer-driven project like Debian, which does not sell software and provides it in a highly decentralized way. It seems plausible that obligations, if any, may primarily affect redistributors or commercial entities building products on top of Debian. In such cases, Debian would as usual be open to contributions that help downstreams meet their requirements, while keeping such features optional and respecting the needs of users in other jurisdictions. However, this is an area where proper legal analysis is still required.
Source: https://lists.debian.org/debian-devel-announce/2026/04/msg00001.html
The legislation is clear and unambiguous : an operating system must provide an age verification which is able to accessible by third parties on the internet.
From a non-lawyer perspective, it is not yet clear how such regulations apply to a non-commercial, volunteer-driven project like Debian, which does not sell software and provides it in a highly decentralized way
There’s no mention of selling in the law.
Which component of Debian is an operating system for this purpose? The desktop environment? The system service? They come from various third party providers
I think the position to adopt is very clear:
- You stand upright facing the nearest government building.
- You extend your right arm horizontally in front of you.
- You rest your left hand, palm down, on top of your right arm, next to your antecubital fossa (the opposite side of the elbow).
- You make a fist with your right hand.
- Without opening your fist, you extend your right hand’s middle finger straight up.
- You decisively bend your right arm at the elbow, standing your forearm, fist, and middle finger straight up.
Thus you achieve the only reasonable position towards this nonsense.
You extend your right arm horizontally in front of you.
Uh oh…
You rest your left hand, palm down, on top of your right arm, next to your antecubital fossa (the opposite side of the elbow).
Oh, phew! I thought this was going to get dark for a second.
This is why I stick with Debian. Adults make decisions over there.
Can you verify this? Maybe we should require Debian contributors to prove they are adults. /s
TL;DR they are lawyering up and hasn’t said for or aginst
Fair enough, that means they’re probably gonna sue over it.
Debian uses systemd, so its coming whatever they decide.
The problem isn’t the specific nature of the rule: having an api call in the background that can broadcast a user’s age range (if it isn’t a clearly identifiable marker) makes sense.
The problem is that if the government is able to tell open source developers “YOU MUST INSERT THIS CODE OR ELSE!!!” then what’s next?
Will in 5 years they require Persona in order to install an Operating System to combat terrorism?
Will in 7 years they require a closed source module created by the government to be running at all times and the kernel must check to make sure if the closed source module is running?
Part of open source software is creativity, freedom, and freedom of speech. Some software is created because developers like creating things.
I hope Debian fights back against this on first amendment grounds. Great code is not that different from a great work of art, there is unique creativity in something elegantly coded that functions well, and telling developers they can’t code how they want is the path toward totalitarianism.
It’s one thing to force this into Microslop and Android and iOS because those are large profitable companies who don’t actually care as long as they make money. It’s another thing to force FOSS developers who develop for free because of the love of software and great code that they must change their code in a certain way.
The problem is that if the government is able to tell open source developers “YOU MUST INSERT THIS CODE OR ELSE!!!” then what’s next?
What’s next is that code gets a build flag that’s turned off in the makefile, and maintainers have to explicitly turn it on for that code to compile in. Distros maintain patches that add this sort of thing all the time, even if upstream refuses to do so.
And Debian is saying that, as a non-profit, all volunteer org? This bullshit doesn’t apply to them. They are building a legal basis for the makefile solution I’m describing above, and its default-off state in their repositories.
All of your catastrophising can be addressed this way. We need devs like you who can help make sure this solution is implemented exactly as described.
Debian repos are great - we can even blacklist official repos and replace them with bare, sketchy IP addresses if we like, and share binaries through them.
You cannot stop the signal. Quit thinking like a voter trapped in a Fascist hellscape, and start thinking like a hacker that the state cannot outmaneuver.
What else would you expect after FOSS was forced to deplatform and steal code developed by Russian contributors.
I sadly don’t know what this means! Oh, you mean Debian blacklisted Russian contributors but didn’t rebuild the code and kept using it?
